Full Report
The SIPROTEC 5 devices do not use sufficiently random numbers to generate session identifiers. This could facilitate a brute-force attack against a valid session identifier which could allow an unauthenticated remote attacker to hijack a valid user session. The affected session identifiers are only used in a subset of the endpoints that are provided by the affected products. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Insufficient Randomness in SIPROTEC 5 Session Identifiers
## CVE Details
- **CVE ID:** CVE-2024-54017
- **CVSS Score:**
- CVSS v4.0: **6.9 (Medium)**
- CVSS v3.1: **5.3 (Medium)**
- **CWE:** CWE-334: Small Space of Random Values
## Affected Systems
- **Products:** Siemens SIPROTEC 5 and SIPROTEC 5 Compact devices.
- **Versions:**
- **CP100 Devices:** All versions >= V7.80.
- **CP150/CP300/CP050 Devices:** All versions < V11.0.
- **Configurations:** The vulnerability specifically affects a subset of endpoints provided by the integrated web server. Devices where "Web access is not supported" (e.g., CP200 series) are not affected.
## Vulnerability Description
Affected SIPROTEC 5 devices fail to use sufficiently random values when generating session identifiers for their web-based interfaces. Because the entropy used to create these IDs is low (a "small space of random values"), the identifiers are predictable. This flaw allows an unauthenticated attacker to potentially guess a valid session ID via brute-force.
## Exploitation
- **Status:** Not exploited (No reports of exploitation in the wild or public PoC provided in the advisory).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Low (Allows unauthorized read access to limited information from the web server).
- **Integrity:** None
- **Availability:** None
## Remediation
### Patches
Siemens recommends updating affected CP150, CP300, and CP050 devices to **V11.0 or later**.
- **CP150 Support Link:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109757432/
- **CP300 Support Link:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109800399/
- **CP050 (Compact) Support Link:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109796884/
*Note: For CP100 devices, a fix is currently being prepared but is not yet available.*
### Workarounds
- **Network Segmentation:** Protect network access with firewalls, VLANs, and VPNs to ensure the devices are only accessible within a trusted environment.
- **Operational Guidelines:** Adhere to Siemens' grid security guidelines available at hxxps://www.siemens[.]com/gridsecurity.
## Detection
- **Indicators of Compromise:** High volumes of failed session requests or rapid-fire requests to web-based endpoints, which may indicate automated brute-force attempts.
- **Detection methods:** Monitor network logs for unusual traffic patterns targeting the device's web server ports.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-786884.html
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories